Skip to content

Slack Bot Token

Service Name: Slack

Service Description: Slack is a messaging app for business that connects people to the information they need. By bringing people together to work as one unified team, Slack transforms the way organizations communicate.

Service Address: https://slack.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the workspace level through Enterprise Grid, not directly on the bot token.

Secret Access Scope: Grants programmatic access to Slack APIs based on the bot's permissions. Bot tokens can access channels they're invited to, send messages, and perform other actions based on their OAuth scopes.

Secret Revokement URL: https://api.slack.com/apps

Secret Example: xoxb-1234567890123-1234567890123-AbCdEfGhIjKlMnOpQrStUvWx

Suspicious Activity Investigation Instructions:

  • Review the Slack Admin dashboard for unusual bot activities or messages.
  • Check the bot's OAuth scope permissions to understand what access it has.
  • Review Slack audit logs for actions performed by the bot token.
  • Verify which channels the bot has been added to and if there are any unexpected additions.
  • Check for any unusual API calls made using the bot token through Slack's API logs.

Mitigation Instructions:

  • Navigate to the Slack API dashboard at https://api.slack.com/apps.
  • Select the app associated with the compromised bot token.
  • Go to the "OAuth & Permissions" section.
  • Click "Regenerate Token" to invalidate the existing token.
  • Update all legitimate applications using this token with the new token.
  • Review and potentially reduce the OAuth scopes granted to the bot.
  • Consider implementing IP restrictions if using Enterprise Grid.
  • Enable additional security features like requiring user approval for sensitive actions.